Privacy and security news and privacy and security widget

A workaround emerged from Oracle as news circulated of a remotely exploitable flaw, without requiring authentication, involving the WebLogic platform.Both the WebLogic Server and WebLogic Express products, acquired by Oracle when the company purchased BEA, suffer from the newly disclosed vulnerability. SANS internet Storm Center said the problem stems from the Apache Connector used by the products. A WebLogic advisory noted the flaw could be exploited without authentication. Sites using Apache servers that are already configured with the mod_security module are protected from this vulnerability by the default core ruleset, according to the advisory. Using mod_security with the WebLogic plug-in for Apache serves as one workaround suggested by Oracle. The other workaround calls for an edit to httpd.conf and a restart: It is possible to configure Apache and avert this vulnerability by rejecting certain invalid requests. To do so, add the following parameter to the httpd.conf file and

The same critical DNS issue that HD Moore and his associates raced to include in their security testing toolkit, the Metasploit Project, bounced back against the noteworthy security researcher.Security pros and other techies who see the boundary-pushing actions of Moore and Metasploit as more of a hindrance than a help to security may have enjoyed the schadenfreude surrounding Moore today. Moore detailed what happened on a blog post at Metasploit. The incident hit an AT&T DNS cache server; the affected machine coincidentally served "as an upstream forwarder for an internal DNS machine at BreakingPoint Systems," which is Moore's company. "This attack affected anyone in the Austin, Texas region using that AT&T internet Services (previously SBC) DNS server. The attack itself was not malicious, did not load malware, and from an operational standpoint, had zero impact," said Moore. Employees at his company noticed problems when the cache-poisoned DNS machine at AT&T returned a 404 error